webPromedium

Lab 315 — PulseMetrics — SSRF Chain to SSTI via Internal Services

hackadvisor

Task: Flask monitoring platform with webhook integration feature allowing full-read SSRF. Solution: Chain SSRF to discover internal services, leak API key from debug endpoint, then exploit unsandboxed Jinja2 SSTI on authenticated admin report API for RCE.

$ ls tags/ techniques/

flask ssrf rce ssti information_disclosure jinja2 debug_endpoint internal_service webhook api_key_leak

ssrf_via_webhookinternal_port_scanningdebug_config_disclosureauthenticated_ssrf_with_headersjinja2_ssti_rcecycler_globals_popen

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 127 — PulseMetric — Insecure Deserialization via Pickle in Agent Report API— hackadvisor
[web][Pro]Lab 389 — PulseBoard — SSTI in Custom Widget Template Builder— hackadvisor
[web][Pro]Lab 282 — StreamForge — SSRF via Webhook Test Bypasses Proxy Auth— hackadvisor
[web][Pro]Lab 236 — PulseAlert — Blind SSTI via Notification Template Engine— hackadvisor
[web][Pro]Lab 247 — PulseGuard — SSTI in Webhook Notification Templates— hackadvisor